Friday, May 20, 2011

"Unknown Hard Error" BSOD and CI.DLL

My Windows 7 64-bit laptop suffered a BSOD with "Unknown hard error". A reboot resulted in Windows immediately going into Startup Repair mode, and the log showed that the file ci.dll had been corrupted.

I tried booting into Safe Mode, tried a Last Known Good boot, neither option worked, each time the system jumped back into Startup Repair. Finally, I chose the option Disable Driver Signature Enforcement, and was able to successfully boot into normal mode. This option bypasses the functionality in Windows which checks for system or driver file corruption and thus far it seemed like perhaps some software or driver I'd recently installed or updated might've led to this boot issue.

Days prior I'd been noticing some strange behavior in Windows. I had been unable to access my GMail and Live accounts. GMail would forever remain at the initial progress bar, eventually timing out and asking if I wanted to use basic HTML mode; Live would load the initial screen showing my email but just sit there, any clicks on my Inbox or Sent Items or other folders did nothing. Once I booted in this Disable Driver Signature Enforcement mode though, a new twist; it appeared my Google search results were now occasionally being redirected to advertising sites.

It turned out to be malware, a rootkit to be specific.

I ran a full scan with the latest SpyBot as well as Symantec Endpoint Protection, installed on all our workplace PCs, but these found nothing.

However, in tracking down other reports of apparent ci.dll file corruption, I discovered Kaspersky's TDSSKiller tool. I downloaded and ran the tool, which performed a concise scan that took roughly a minute to complete. Lo and behold, a rootkit, a member of the notorious TDSS family.

Rootkit.Win32.TDSS.tdl4


I ensured the Cure option was selected, then clicked Continue, and allowed the tool to initiate a reboot and hopefully clean out the rootkit.



Following the removal, I could once again boot into Windows normally, and the anomalous behaviors described above no longer occurred.


8 comments:

Anonymous said...

This was spot on. Followed your instructions and was up and running without the normal pain and suffering!
Thanks!

Matthew Centonze said...

thanks bud! this really helped me!

Anonymous said...

Thank you! Had this problem today and your solution worked great!!!

Anonymous said...

thanks so much...

Nadav said...

Thank you! You saved me! (and my computer from a clean install...)
Do you know if there is any AntiVirus software out there that can detect this virus?

Darth Continent said...

To all whom this helped, you're welcome!

@Nadav: My machine hasn't since been reinfected with this rootkit so I don't know, but since Kaspersky's tool detected it, perhaps their antivirus suite also has the ability to find and remove rootkits like this one?

Anonymous said...

Google redirecting was my first symptom, but nothing picked up anything so I thought it might have been a securtity issue with the browser itself, so I updated and thought nothing was wrong. Then everything happened exactly the same way, your solution was a huge help. Though I had to load the page on another computer, damn thing was actively blocking pages that could have helped.

Anonymous said...

Very helpful post, had the exact same problem!
Thanks!